We're also using Shibboleth today, and we're also planning to drop it in
favor of CAS' SAML2 support. I have played a bit with using CAS as the IdP
and it seems to work in my limited testing against the Shibboleth SP
(mod_auth_shib) on Apache HTTPD.